Skip to content

Removing attribute_accessor docs duplication #6212

Closed
wants to merge 675 commits into from
@frodsan
frodsan commented May 8, 2012

/cc @vijaydev

spastorino and others added some commits Mar 3, 2012
@spastorino spastorino Turn off verbose mode of rack-cache, we still have X-Rack-Cache to ch…
…eck that info

Closes #5245
520571a
@vijaydev vijaydev CSS fix for guides. Closing #5028 [ci skip]
In Ubuntu Chrome, in the last lines of code blocks, the underscore isn't
visible. Increasing the line height slightly seems to fix this. This
problem doesn't exist in Firefox even on Ubuntu. Too lazy to test in
any other OS-browser combo :)
23ca13a
@larskanis larskanis fix associations when using per class databases
would get ConnectionNotEstablished error because it always tried to use
ActiveRecord::Base's connection, even though it should be using the connection
of the model whose context we're operating in
f6d478a
@carlosantoniodasilva carlosantoniodasilva Only run binary type cast test with encode! on Ruby 1.9 864d755
@NZKoz NZKoz Whitelist all attribute assignment by default.
Change the default for newly generated applications to whitelist all attribute assignment.  Also update the generated model classes so users are reminded of the importance of attr_accessible.
06a3a8a
@yaroslav

Thanks! Guess the change in config/application.rb would be enough, but people tend to create a shitstorm instead.

Was this really intended for 3-2-stable?

Looks great! I like it!

\m/

Awesome.

Ruby on Rails member

@parndt it will be on only for new apps, so yes it's safe to do it on 3-2-stable

+1million

Nice one!

eval replied Mar 4, 2012

Once I started using attr_accessible consistently, it was handy to have a role that could access any attribute. sudo_attr_accessibility is the result I came up with https://github.com/eval/sudo_attr_accessibility

About time this was made default. It's just way too easy to forget about things with a permitted-by-default scheme.

dirk replied Mar 4, 2012

@eval Considering that sudo is short for su (super-user) and do, wouldn't a more apt name for the access-all role be just su?

Ruby on Rails member

@eval you can specify the role, not sure when was it added, but probably 3.1/3.2

Guess we can thank @homakov for that.

@drogus Yeah but @eval's way of doing it gives access to all attributes, the roles only give the permissions set.

I think this is a great way to deal with the issue, as it doesn't breaks old apps. I really like the patch.

The downside is, that old apps still keep the vulnerability, maybe we could also add some warnings, similar to deprecation warnings like, "Your model blacklists your attrs and may be vulnerable to mass-assignment - consider using attr_accessible" (And a way to shut the warning of, for those who doesn't care :)

Old apps would keep this vulnerability no matter what they add if they don't update their Rails version.

Ruby on Rails member

@larzconwell it's dead simple to do something like that in previous rails versions, by doing for example ActiveRecord::Base.attr_accessible nil, the thing is that if you have a big app that does not whitelist attributes, it will all break if you turn it on. That's why there is no simple magical fix for it.

How would that code get into someone's Rails version that's already downloaded though? They'd have to re-install Rails, or update the version to get any new code. Right? Maybe I'm just not thinking it through all the way.

jtoy replied Mar 5, 2012

Thanks for fixing this @homakov !!!

Ruby on Rails member

@larzconwell this commit only changes things that are generated, so even if you upgrade, it will not change anything in your application. If your app is vulnerable, you need to use attr_accessible or secure your models in some other way, there is no simple fix for it as this is not regular security issue that can be easily fixed by framework. It was probably mistake to not make whitelisting default, but the tools to secure mass assignment was in place for years.

Oh yeah I knew that, just a slow moment haha. Sorry for the confusion!

Seems legit.

@larzconwell

Since it really isn't a rails-framework issue, I think it is important to make developers aware of it. If you do regular rails upgrades in your apps (which you really should for security fixes), you should at least got some warnings on vulnerable models.

A walk through as to how to incorporate this into existing web applications will be nice.

@marcoemrich Definitely true, developers should use attr_accessible no matter what.

@why-el Well an existing application should already have attr_accessible in it, but un-comment config.active_record.whitelist_attributes = true into your config/application.rb

tinco replied Mar 5, 2012

Older rails applications will still be vulnerable even when they upgrade their rails version. This commit only fixes the generator of the config file. Granted ofcourse that they were not handling their attribute protection right, like github was.

@larzconwell Done. Thanks.

@d-snp right, of course - that's why I would suggest to add a warning system, that informs the developers about their possible vulnerability and recommend switching to a whitelist concept

Rails could output a warning, for all models, that don't use attr_accessible

janx replied Mar 5, 2012

thanks @homakov!

thanks @homakov!

a thousand crackers just shed a tear

o/

Nice! I like it.

budu replied Mar 5, 2012

Finally! I've been advocating something like that (through an initializer) at my job and nobody would listen. I can't count the number of vulnerable web app I've seen out there!

Ah, the story has a happy ending!

eval replied Mar 5, 2012

@drogus yes, but once you define any role (say 'attr_accessible :name, :as => :possibly_malicious_user_input') i.e. specifically for mass-assignments in controllers, there's no way to ignore roles in other parts of your code (e.g. tests, working in console, whole lot's of non-controller code).

Ways to workaround are
1. use ':without_protection => true' (cumbersome),
2. explicitly (re)define all attributes to be attr_accessible for some other role, maybe 'default' (hard to maintain when adding attributes).

This gem helps with 2) in that you can define a role that has always access to all attributes. Maybe better: When doing 'sudo_attr_accessible_as :default' code can be role-unaware by default.

eval replied Mar 5, 2012

@dirk good point!

Ruby on Rails member

@eval ok, sorry, I just skimmed through the README and didn't get that difference

It still auto-adds the attr_accessible list which is nearly as bad as allowing mass assignment in the first place. At most it should add an informative comment, and the error message about being unable to mass assign attributes should be made better, possibly with a URL to the existing mass assignment Rails guide.

Ruby on Rails member

@eval write a custom TestSanitizer that doesn't remove anything from the attribute hash and configure it in your test environment or you can do it on a test by test basis:

class TestSanitizer < ActiveModel::MassAssignmentSecurity::Sanitizer
  def sanitize(attributes, authorizer)
    attributes # you may want to do something else here
  end
end

class MyTestCase < ActiveSupport::TestCase
  def test_case
    without_attribute_protection do
      # your test code
    end
  end

  def without_attribute_protection
    ActiveRecord::Base.mass_assignment_sanitizer = TestSanitizer.new
    yield
  ensure
    ActiveRecord::Base.mass_assignment_sanitizer = :logger
  end
end
gtd replied Mar 5, 2012

@jyap808 No, that wasn't a proper troll, but your comment certainly is :)

jurre replied Mar 5, 2012

@dhh posted this gist[0] earlier today and I'm wondering what everyone feels is the best way to handle this, I'm currently using attr_accessible but I do feel there's some merit to dhh's gist.

[0]https://gist.github.com/1975644

If nothing else, this breaks all 6+ years of prior documentation on generating models and applications. This seems inappropriate and unnecessary in a stable release, when the current behavior is not unreasonable and was so vociferously defended for years.

@allix I disagree, the current behavior is unreasonable and unacceptable since every application is insecure by default. The fact that Github could fall victim to a mass assignment vulnerability should be more than enough evidence that this change is necessary. In fact, I'd go even further and say that config.active_record.whitelist_attributes should be set to true by default (not just in the generated application.rb) and developers who don't want it should have to specifically disable it. Any documentation or app that is "broken" by that change was already broken anyway, the developers just didn't realize it, so this change would wake them up and make their apps more secure in the long run.

@stevenh512 Do we even know that GitHub was not using attr_accessible? They could have just opened up columns that are only accessible to admins to all users because of the bluntness of attr_accessible (somewhat remedied by the new role based feature).

Regardless, Rails can't protect developers against not paying attention when they apply untrusted form data directly to models - that is just an amateur mistake, and it seems most applications do just fine as their developers properly filter parameters before updating models. This is quite clearly the fault of GitHub developers, and it's unclear whether attr_accessible by default would have changed anything.

True, we don't really know that Github wasn't using attr_accessible, the only way to truly know the exact cause of their particular vulnerability is if they tell us.. but we do know that there are plenty of apps out there that are not using attr_accessbile because 1) it is not enforced by default, 2) there's a lot of bad documentation out there, and 3) beginner/intermediate developers see that it "just works" and don't think about the security implications (which goes back to 1). I think it's a lot easier to fix it in Rails and "break" those already broken applications than it would be to go through (as you said) 6+ years of documentation, fix it, and then hope everybody pays attention.

Fixing XSS vulnerability "broke" a lot of things too, but again, those things were already broken.

BTW, how many years of documentation were broken in moving from Rails 1 to 2, or 2 to 3, or even (NOT a "major version" upgrade) 3.0 to 3.1?

eval replied Mar 5, 2012

@pixeltrix looks nice - thanks!

Ruby on Rails member

Maybe I'm outdated, but I remember a Github conf saying that Github is still mostly under Rails 2.3.
So they do not use attr_accessible.

On another topic, I think this is not the role of the model layer to sanitize the user input.

Ruby on Rails member

@drogus: wow, why was I persuaded that it was a 3.0 feature... Sorry for this useless comment.

@stevenh512 regarding documentation, breaking documentation is fine for major or even minor releases. Not so much for a stable release. Anyhow, it's probably for the better.

@aliix regarding documentation, if that's the case, why not really fix this (instead of just for new apps) and call it 3.3.0?

And regarding apps, this is just my personal opinion.. but if I had an app that was vulnerable (I don't, becuase step 1 for me is to drop in an initializer that forces me to use attr_accessible.. but for the sake of argument, if I didn't know any better), I would much rather deal with "a Rails update broke my app" compared to "a vulnerability I wasn't aware of because I followed some bad docs caused my entire app to get owned and now my users are ready to hang me."

norv replied Mar 7, 2012

This is a good step, thanks for the fix!

I think there should be at least warnings, for older code, in the measure of possible, to raise awareness, by default. If not downright break those with no attr_accessible.

+1 on the fix, but the reason mass assignment exists in the first place is for convenience and DRYness of syntax. Sometimes it's still convenient to use update_attributes outside of a controller for 'unsafe' attributes and with a default whitelist you can't. What about something that mirrors #html_safe?:

foo.update_attributes({:a => 'bar'}.attr_safe)

@norv I agree, but I go a step further and say that a change to force mass-assignment security on all apps (not just new ones), with some reasonable way for a more advanced developer to disable it if they really needed to, wouldn't break a thing. Any app with those kinds of vulnerabilities was already broken the moment it was written and deployed and it's only a matter of time before someone exploits it.

@andyvb didn't see your comment while I was typing mine (we must have been commenting at the same time.. lol).. but the situation you describe is already handled by ActiveModel in Rails 3.1+.. that's what scoped attr_accessible whitelists are for.

@stevenh512 thanks for the info! Looks like :without_protection is what I'm looking for.

@andyvb I was thinking more of the scoped attr_accessible that Rails 3.1 gives us (attr_accessible :attr1, :attr2, :as => :admin), but yeah, :without_protection would also work and would probably be more backwards compatible. For 3.0 and earlier there's also a Railscast that teaches how to do something similar to 3.1's scoped attr_accessible.

What about *_ids methods?

Lot of people use attr_protected for keys and flags, simply because it is easier to blacklist a few fields than to withelist the rest.

How many of them ever used *_ids method to be aware of that? This is not even documented at http://guides.rubyonrails.org/security.html#countermeasures.

This SHOULD be protected by default in next release.

What about *_ids methods?

Lot of people use attr_protected for keys and flags, simply because it is easier to blacklist a few fields than to withelist the rest.

How many of them ever used *_ids method to be aware of that? This is not even documented at http://guides.rubyonrails.org/security.html#countermeasures.

Пойдет

rafaelfranca and others added some commits Mar 4, 2012
@rafaelfranca rafaelfranca Only add the whitelist_attributes option if ActiveRecord is present
Conflicts:

	railties/test/generators/app_generator_test.rb
	railties/test/isolation/abstract_unit.rb
f604a63
@rafaelfranca rafaelfranca Now all the models need to explicitly declare the accessible attributes 2a6b7e5
@NZKoz NZKoz Merge pull request #5278 from rafaelfranca/fix-build-3-2
[3-2-stable] Fix build
ebc5a19
@byroot byroot Fix #5069 - Protect foreign key from mass assignment throught associa…
…tion builder
e1a882a
@mariovisic mariovisic Failing test for mime responder respond_with using a block. 5b73a3a
@sikachu sikachu Always passing a respond block from to responder
We should let the responder to decide what to do with the given
overridden response block, and not short circuit it.

Fixes #5280
82a8698
@josevalim josevalim Merge pull request #5299 from sikachu/3-2-stable-fix-responder
Always passing a respond block from to responder
688e4f0
@mikel mikel Increasing minimum version of mail due to security vulnerability foun…
…d in Mail 2.4.1 for sendmail or exim
0d2798e
@josevalim josevalim Use latest rack-cache. 9c56401
@spastorino spastorino Deprecate ActionController::SessionManagement 74fe7e1
@josevalim josevalim Just change the formats on first render, closes #5307, closes #5308. bcea8cd
@josevalim josevalim Set the rendered_format on respond_to. e7560bc
@carlosantoniodasilva carlosantoniodasilva Add test case for #5307 b35fd40
@josevalim josevalim Remove usage of deprecated module. 3775058
@josevalim josevalim Merge pull request #5316 from Jacobkg/master
Update ActiveRecord::AttributeMethods#attribute_present? to return false for empty strings
524e8a1
@kuahyeow kuahyeow Add tests to test that through associations are not readonly, and we …
…can update the records we retrive from the association
9bcd662
@mreinsch mreinsch fix ArgumentError being raised in case of invalid byte sequences 55cac81
@carlosantoniodasilva carlosantoniodasilva Improve docs for attr_accessible|protected related to Hash#except|slice e63f04c
@Mik-die Mik-die typo 1f2224d
@swanandp swanandp Fixed a slightly misleading equivalent SQL code on the 3.2 query inte…
…rface.
30feb8c
@bschaeffer bschaeffer Fix doc examples for has_and_belongs_to_many association 357e288
@mattreduce mattreduce Fix typo in asset pipeline guide 061f8ae
@caius caius Fix typo in isolated engine docs 22a8433
@coreyhaines coreyhaines Left off a : when specifying the :namespace option for a :controller
path segment
df755d4
@vijaydev vijaydev In a nested resource route, the parent resource param is <resource_na…
…me>_id

This fix was made by @coreyhaines on docrails and merged in master.
Cleanly cherry picking into 3-2-stable wasn't possible.
c1a01c7
@vijaydev vijaydev changelog updates [ci skip] 3bfd651
@vijaydev vijaydev update changelogs for gems without changes too [ci skip] 263d842
@tenderlove tenderlove make active_connection? return true only if there is an open connecti…
…on in use for the current thread. fixes #5330
cff19cf
@brianmario

:+1:

curious if this will help any regarding brianmario/mysql2#66, brianmario/mysql2#209 or brianmario/mysql2#213

Ruby on Rails member

@brianmario I don't think so... I've seen those errors before, but I can't remember exactly the problem. IIRC, it happens if you have a low traffic app where the connection timeout is not long enough, but I can't remember.

@jeremy do you recall issues like these? I seem to remember there was a fix in rails.

Ruby on Rails member
fxn replied Mar 9, 2012

I know of an application that reports lost connections often. It is a busy application (about 40K rpm). A priori seems strange because the connection pool does a mysql_ping on checkout, so you got a successful ping and just milliseconds later the connection is lost (or the server gone, also happens). The MySQL server on the other hand seems to be doing fine.

Not saying it is related to this patch, just a followup.

@jrochkind

Awesome. Am hoping this helps solve a related problem I am trying to investigate in my app, causing it to require more connections in the pool than I think it ought to, since rails 3.0 even.

However, you now have two similar but different methods with similar but different names: release(conn) and release_connection(conn). Can you maybe put some inline comments in the new release explaining how it's different than release_connection

Alternately, do they need to be two different methods? The new release seems to possibly do a superset of what the old release_connection did -- should they just be combined?

Ruby on Rails member

release_connection actually takes the thread id associated with the connection. I think it's meant to be called with no arguments. release is meant to be called with a connection, and it's private. We could probably combine release_connection and release, but I wanted to make the smallest change possible. Fix bug in one commit, refactor later. :-)

parndt and others added some commits Mar 10, 2012
@parndt parndt Fixes issue #5193 using the instructions provided in the issue. f665e20
@parndt parndt Fixed problem when fixture_path is not always defined (incidentally, …
…only when ActiveRecord is according to test_help.rb).
5ef8069
@denisj denisj fix activerecord query_method regression with offset into Fixnum
add test to show offset query_methods on mysql & mysql2

change test to cover public API
f67944e
@josevalim josevalim Merge pull request #5400 from arunagw/issue_4409
Issue 4409
a9320f7
@josevalim josevalim Merge pull request #5398 from parndt/fix_issue_5193
Fix issue 5193
d2ac18a
@rafaelfranca rafaelfranca Do not use the attributes hash in the scaffold functional tests 5bed0e5
@rafaelfranca rafaelfranca Use the attributes hash explicitly ac8469d
@rafaelfranca rafaelfranca Use Ruby 1.8 hash syntax c1610eb
@josevalim josevalim Merge pull request #5410 from rafaelfranca/fix-scaffold-3-2
[3-2-stable] Do not use the attributes hash in the scaffold functional tests
dfbbf31
@kennyj kennyj [3-2-stable] Fix GH #5399. connection_pools's keys are ActiveRecord::…
…Base::ConnectionSpecification objects.
21d9c0f
@avakhov avakhov Fix layout method doc formatting 5f28145
@britto britto Close string quotes a782fea
@tenderlove tenderlove Merge pull request #5417 from kennyj/fix_5399-32
[3-2-stable] Fix GH #5399. connection_pools's keys are ActiveRecord::Base::ConnectionSpecification objects.
596ecf7
@jrochkind jrochkind ConnectionPool.checkout takes account of ruby using 'non-blocking con…
…dition variables' in mutex ConditionVariables
41563b4
@tenderlove tenderlove Merge pull request #5423 from jrochkind/checkout_account_for_monitor_…
…model

ConnectionPool.checkout needs to be restructured to take account of ruby's "non-blocking" strategy for mutex ConditionVariables
f2aea24
@dhh dhh Do not include the authenticity token in forms where remote: true as …
…ajax forms use the meta-tag value
16ee611
@dhh dhh Allow you to force the authenticity_token to be rendered even on remo…
…te forms if you pass true
e50abba
@drogus drogus Remove ActionController::TestCase#rescue_action_in_public!
This method has no effect since exception handling was
moved to middlewares and ActionController tests do not
use any middlewares.
ccf4ff0
@drogus drogus Check for existence of exactly the called `fixture_path=` method 9dfb41f
@tenderlove tenderlove Merge pull request #5338 from mreinsch/3-2-static_invalid_byte_sequence
3 2 static invalid byte sequence
f918137
@tenderlove tenderlove Merge pull request #5437 from kennyj/fix_5430
Fix GH #5430. A Payload name for schema_search_path should be SCHEMA.
bd3e1ed
@tenderlove tenderlove Merge pull request #5456 from brianmario/redirect-sanitization
Strip null bytes from Location header
f52ad6c
@tenderlove tenderlove Merge pull request #5457 from brianmario/typo-fix
Fix typo in redirect test
e135ff1
@tenderlove
Ruby on Rails member

Y U NO ADD TEST? :flushed:

Ruby on Rails member

A test was pushed later iirc.

Ruby on Rails member

:heart:

drogus and others added some commits Mar 15, 2012
@drogus drogus Fix #5440 - multiple render_to_string breaks partials formats
This fixes situation where rendering template to string
sets `rendered_format` to the format rendered there.
This is ok to have consistent formats rendered in partials,
but it breaks on next renders if format is explicitly set
or on last render where default format does not necessarily
need to be the format of first rendered template.
1eb6189
@drogus drogus Add missing test for #5308 7130f91
@josevalim josevalim Merge pull request #5480 from drogus/rendering-issues
Fix for #5440
e5b46cf
@josevalim josevalim Ensure load hooks can be called more than once with different contexts. c0a5b85
@drogus drogus Rubyracer does not work on ruby, so add it to Gemfile with :ruby plat…
…form only
41815f5
@kennyj kennyj Fix GH #5435. db:structure:dump should be re-enable. f4f9ec1
@drogus drogus Merge pull request #5493 from kennyj/fix_5435-32
[3-2-stable] Fix GH #5435. db:structure:dump should be re-enable.
d9355be
@arunagw arunagw Build fix for app_generator_test.rb 9451201
@josevalim josevalim Merge pull request #5498 from arunagw/build_fix_app_generator_test_3-…
…2-stable

Build fix app generator test 3 2 stable
c8fbd48
@mikel mikel Increase minimum version of mail.
  Second security vulnerability found in mail file delivery method
  patched in version 2.4.4.
74b7829
@arunagw arunagw Build fix for ruby1.8.7-358 fcc8743
@josevalim josevalim Merge pull request #5505 from arunagw/build_fix_1.8.7-3-2-stable
Build fix 1.8.7 3 2 stable
358333f
@khustochka

I wonder what happens in terms of graceful degradation then. With JavaScript off will the form remain protected from forgery?

Ruby on Rails member

In one of the next commits there is an option added to pass authenticity_token: true in order to keep that behavior.

Thanks, drogus. My fault, I must have looked at the next commit.

Not trolling here, but wouldn't this change (and the one in the next commit), break a lot of code where people do The Right Thing, and make their forms unobtrusive with graceful degradation?

I am not protesting the commit, just the fact that it was included in a patch version update (3.2.3) and it has the potential to catch a lot of people unawares...

Ruby on Rails member

:+1: to preserve the original behavior for 3-2-stable. We could use a config option to disable 'em instead.

Ruby on Rails member

@christos fixed here: d646d9d, thanks for reporting!

dhh and others added some commits Mar 20, 2012
@dhh dhh We dont need to merge in the parameters as thats all being reset by t…
…he rack headers (and its causing problems for Strong Parameters attempt of wrapping request.parameters because it will change in testing)
275ee0d
@mhfs mhfs [3-2-stable] Remove blank line from generated migration 57c6b4c
@kennyj kennyj migrate(:down) method with table_name_prefix 565bfb9
@josevalim josevalim Merge pull request #5533 from mhfs/migration_blank_line_3_2
[3-2-stable] Remove blank line from generated migration
f829515
@mhfs mhfs [3-2-stable] Port of #5522 'Fix adding/removing field's index when ge…
…nerating migration'
35bf748
@drogus drogus Merge pull request #5542 from mhfs/port_5522_to_32stable
Port of #5522 'Fix adding/removing field's index when generating migration'
89f8866
@kennyj kennyj Fix GH #5411. When precompiling, params method is undefined. 8c262f7
@josevalim josevalim Merge pull request #5525 from kennyj/fix_5411
Fix GH #5411. When precompiling, params method is undefined.
b714140
@carlosantoniodasilva carlosantoniodasilva Add order to tests that rely on db ordering, to fix failing tests on pg
Also skip persistente tests related to UPDATE + ORDER BY for postgresql

PostgreSQL does not support updates with order by, and these tests are
failing randomly depending on the fixture loading order now.
b332891
@tenderlove tenderlove Merge pull request #5557 from carlosantoniodasilva/fix-build-3-2
Fix build for branch 3-2-stable
ea4e021
@carlosantoniodasilva carlosantoniodasilva Fix identity map tests 0879ebd
@drogus drogus Merge pull request #5558 from carlosantoniodasilva/fix-build-3-2
Fix build for branch 3-2-stable - Part 2
ef48cea
@tenderlove tenderlove Merge pull request #5537 from kennyj/fix_4399-32
[3-2-stable] migrate(:down) method with table_name_prefix
0382e44
@tenderlove tenderlove chdir before globbing so that we don't need to escape directory names.
fixes #5521
eb0d8ee
@carlosantoniodasilva carlosantoniodasilva Return the same session data object when setting session id
Make sure to return the same hash object instead of returning a new one.
Returning a new one causes failures on cookie store tests, where it
tests for the 'Set-Cookie' header with the session signature.

This is due to the hash ordering changes on Ruby 1.8.7-p358.
907bcce
@abevoelker abevoelker Fix 'Security#Mass Assignment' URL typo ed7567c
anildigital and others added some commits Apr 6, 2012
@anildigital anildigital Fix Rails version in getting started guide. 1cd939a
@vijaydev vijaydev Merge pull request #5765 from anildigital/3-2-stable
Update getting started guide to change Rails version to Rails 3.2
bfd5c84
@anildigital anildigital Fix 'Everyday Git' link 05d4ccf
@rafaelfranca rafaelfranca default_url_options does not receive one argument anymore 5c7bcfc
@rafaelfranca rafaelfranca Document that default_url_options must return a hash with symbolized
keys
6f4f499
@spastorino spastorino Merge pull request #5784 from rafaelfranca/default_url-3-2
[3-2-stable] Document that default_url_options must return a hash with symbolized keys
e7671b5
@fxn fxn rewords the section about default_url_options in the Action Controlle…
…r Overview guide
b125db8
@fxn fxn Merge pull request #5725 from kevmoo/remove_unused_castcode
Remove unused castcode
dab76b1
@arunagw arunagw README fix! [skip ci] b1c28d7
@vijaydev vijaydev Merge pull request #5799 from arunagw/readme_fix
Readme fix
a85ffd0
@tenderlove tenderlove add the class name to the assertion message ca0c0a2
@tenderlove tenderlove bigdecimal can be duped on Ruby 2.0
Conflicts:

	activesupport/test/core_ext/duplicable_test.rb
2991370
@tenderlove tenderlove probably should require the objects we monkey patch. fedd87c
@jeremy jeremy Merge pull request #5800 from arunagw/bigdecimal_dup
Backport BigDecimal#duplicable? feature check from master
e0fd4fc
@tenderlove tenderlove test against ruby features in order to fix tests on Ruby 2.0 96d81e5
@jeremy jeremy Merge pull request #5820 from arunagw/more_ruby-2-0-fixes
Update test for Ruby 2 compatibility
e473e1f
@sikachu sikachu Fix code example in generator test case c0e6a85
@vijaydev vijaydev fix typo in readme [ci skip] efa9a1f
@alekseykulikov alekseykulikov "rails new -h" shows message in rails directory 2f9fdbf
@drogus drogus Add missing require in Active Support time zones (fixes #5854)
I also removed the other require as it's already present in
`activesupport/core_ext/time/calculations`
a748eca
@arunagw arunagw multi_json is restricted to < 1.3
Some API changes are there above 1.3. 
3-2-stable
9b14e3f
@jeremy jeremy Merge pull request #5861 from arunagw/multi_json_fix_3-2-stable
Restrict multi_json to >= 1.0, < 1.3 to avoid API changes in 1.3
9a97699
@tiegz tiegz catch nil.to_sym errors in partial_renderer, and raise ArgumentError …
…instead
dcc11b2
@tiegz tiegz converting some tests to assert_raises, and DRY'ing retrieve_variable…
… changes

Conflicts:

	actionpack/test/template/render_test.rb
6b8dd70
@asanghi asanghi Replace ruby-debug19 which doesnt work on 1.9.3 out of the box with a…
… more maintained debugger gem
56674db
@jeremy jeremy Merge pull request #5874 from asanghi/3-2-stable
replace ruby-debug19 with debugger on Rails 3-2 stable
89f99e8
@norman norman Check for nil logger d92166c
@tenderlove tenderlove Merge pull request #5894 from norman/3-2-fix-nil-logger
Fix nil logger on 3.2
476fa7a
@spastorino spastorino Add hook for add_resource_route 3986139
@jeremy jeremy Revert "Fix #5667. Preloading should ignore scoping."
Causes a subtle regression where record.reload includes the default
scope. Hard to reproduce in isolation. Seems like the relation is
getting infected by some previous usage.

This reverts commit dffbb521a0d00c8673a3ad6e0e8ff526f32daf4e.
1166d49
@sferik sferik Revert "multi_json is restricted to < 1.3 "
This reverts commit 9b14e3ff80ee4044cfd89a11effcb5f52eaf888b.
e01bf0a
@sferik sferik Use `Object#respond_to?` to determine which MultiJson API to use 5e62670
@benedikt benedikt Removes caching from ActiveRecord::Core::ClassMethods#relation
The #relation method gets called in four places and the return value was instantly cloned in three of them. The only place that did not clone was ActiveRecord::Scoping::Default::ClassMethods#unscoped. This introduced a bug described in #5667 and should really clone the relation, too. This means all four places would clone the relation, so it doesn't make a lot of sense caching it in the first place.

The four places with calls to relations are:

activerecord/lib/active_record/scoping/default.rb:110:in `block in build_default_scope'"
activerecord/lib/active_record/scoping/default.rb:42:in `unscoped'"
activerecord/lib/active_record/scoping/named.rb:38:in `scoped'"
activerecord/lib/active_record/scoping/named.rb:52:in `scope_attributes'"

Conflicts:

	activerecord/lib/active_record/core.rb
13f1401
@benedikt benedikt Adds test to check that circular preloading does not modify Model.uns…
…coped (as described in #5667)

Conflicts:

	activerecord/test/cases/associations/eager_test.rb
8491740
@benedikt benedikt Revert "Revert "Fix #5667. Preloading should ignore scoping.""
This reverts commit 1166d49f62ccab789be208112163ad13183224e2.

Conflicts:

	activerecord/test/cases/associations/eager_test.rb
2c21a2f
@benedikt benedikt Removes unneeded caching from ActiveRecord::Base.relation ebfa58a
@jeremy jeremy Merge pull request #5898 from benedikt/3-2-stable
Readds the fix for #5667 and back ports the regression fix from #5718
b9e5c5a
@amatsuda amatsuda Be sure to correctly fetch PK name from MySQL even if the PK has some…
… custom option

Backports #5900

Conflicts:

	activerecord/lib/active_record/connection_adapters/abstract_mysql_adapter.rb
	activerecord/test/cases/adapters/mysql/mysql_adapter_test.rb
f51557d
@joevandyk joevandyk Only include Rake::DSL if it's defined.
rake < 0.9 doesn't define Rake::DSL.
07b1fe5
@jeremy jeremy Merge pull request #5896 from sferik/revert_5861
Revert #5861. Feature-detect which MultiJson API to use.
c3d50b3
@arunagw arunagw ARes URL should be pointed to 3-2-stable tree not master. 210713e
@vijaydev vijaydev Merge pull request #5935 from arunagw/readme_fixes_3-2-stable
As ARes is removed from master then 3-2-stable URL should be in README.
0ed6e13
@arunagw arunagw Updated other README to point 3-2-stable 21b1a79
@vijaydev vijaydev Merge pull request #5936 from arunagw/other_readme_fixes
Updated other README to point 3-2-stable
979e9d0
@jeremy jeremy Merge pull request #5919 from joevandyk/rake-dsl-fix
Only include Rake::DSL if it's defined (Rake >= 0.9)
dd01c11
@tenderlove tenderlove Merge pull request #5866 from tiegz/minor_fixes_3-2-stable
Catch nil.to_sym errors in partial_renderer, and raise ArgumentError instead
0f5af60
@sikachu sikachu Fix broken test from the earlier merge conflict
Seriously people, please run the test before submitting pull request.
0f3fd78
@spastorino spastorino Merge pull request #5946 from sikachu/3-2-stable-fix-merge-conflict
Fix broken test from the earlier merge conflict
db6787a
@kennyj kennyj Fix build. It seems that the Mocha's behavior were changed. d95f3d3
@jeremy jeremy Merge pull request #5968 from sikachu/3-2-stable-backport
Backport workarounds for Mocha behavior changes.
9212083
@carlosantoniodasilva carlosantoniodasilva Add extra order clause to fix failing test on Ruby 1.8.7 20f398d
@jeremy jeremy Merge pull request #5971 from carlosantoniodasilva/fix-build-3-2
Add extra order clause to fix failing test on Ruby 1.8.7
7d95b81
@vijaydev vijaydev fix number_to_human docs [ci skip] 006de25
@tenderlove tenderlove Merge pull request #4528 from j-manu/log-tailer-fix
Fix for log tailer when the log file doesn't exist.
05bee99
@carlosantoniodasilva carlosantoniodasilva Do not mutate options hash 7006e97
@tenderlove tenderlove Merge pull request #6022 from sikachu/3-2-stable-record_tag_backport
Do not mutate options hash
434be0f
@oscardelben oscardelben Remove circular require of time/zones 61d84e0
@drogus drogus Merge pull request #6038 from arunagw/warning_removed_3-2-stable
Warning removed 3 2 stable
86559be
tomhuda Allow Thor 0.15 and 1.0, to be released shortly 7dc83f7
@drogus drogus Lazy load `default_form_builder` if it's passed as a string
closes #3341
beba826
@pixeltrix pixeltrix Don't convert params if the request isn't HTML - fixes #5341
(cherry picked from commit 7a80b69e00f68e673c6ceb5cc684aa9196ed3d9f)

Conflicts:

	actionpack/test/controller/test_test.rb
d6bbd33
@rafaelfranca rafaelfranca Fix the build.
* The method for persisted records in 3-2-branch is 'PUT'
* size is generated by default in inputs
a782aa5
@rafaelfranca rafaelfranca Remove warning of unused variable b18603b
@josevalim josevalim Merge pull request #6051 from rafaelfranca/fix_build
Fix the build
0df261a
@pixeltrix pixeltrix Escape interpolated params when redirecting - fixes #5688 b608cdd
@pixeltrix pixeltrix Add missing require from b608cdd64c95d0d16eb98d86562e22f3b01be9e3 4075a39
@pixeltrix pixeltrix Restore interpolation of path option in redirect routes 6cad407
@rafaelfranca rafaelfranca Add missing require when helpers are used in isolation 6b8a3a0
@rafaelfranca rafaelfranca Deprecate link_to_function and button_to_function helpers 9dc57fe
@rafaelfranca rafaelfranca Add CHANGELOG entry.
Closes #5886
Closes #3093
342b54a
@rafaelfranca rafaelfranca Add release data to Rails 3.2.3 3005f58
@jeremy jeremy Merge pull request #5922 from rafaelfranca/deprecate_javascript_helpers
Deprecate link_to_function and button_to_function
8fec5d7
@pixeltrix pixeltrix Add note about using 303 See Other for XHR requests other than GET/POST
IE since version 6 and recently Chrome and Firefox have started following
302 redirects from XHR requests other than GET/POST using the original request
method. This can lead to DELETE requests being redirected amongst other things.

Although it doesn't directly affect the Rails framework since it doesn't return
a 302 redirect to any non-GET/POST request a note has been added to raise
awareness of the issue. Some references:

Original article from @technoweenie:
http://techno-weenie.net/2011/8/19/ie9-deletes-stuff/

Hacker News discussion of the article:
http://news.ycombinator.com/item?id=2903493

WebKit bug report:
https://bugs.webkit.org/show_bug.cgi?id=46183

Firefox bug report and changeset:
https://bugzilla.mozilla.org/show_bug.cgi?id=598304
https://hg.mozilla.org/mozilla-central/rev/9525d7e2d20d

Chrome bug report:
http://code.google.com/p/chromium/issues/detail?id=56373

HTTPbis bug report and changeset:
http://trac.tools.ietf.org/wg/httpbis/trac/ticket/160
http://trac.tools.ietf.org/wg/httpbis/trac/changeset/1428

Roy T. Fielding's history of the issue:
http://ftp.ics.uci.edu/pub/ietf/http/hypermail/1997q3/0611.html

Automated browser tests for the issue:
http://www.mnot.net/javascript/xmlhttprequest/

Fixes #4144
(cherry picked from commit 24f143789a8989f3bccde14ff28067de25cafd87)
a72fe84
@willbryant willbryant fix the Flash middleware loading the session on every request (very d…
…angerous especially with Rack::Cache), it should only be loaded when the flash method is called
e3069c6
@drogus drogus Failing test for #6034 2b2983d
@IamNaN IamNaN Correcting some confusion. Pago Pago is part of American Samoa, not S…
…amoa.

Further, Samoa and Tokelau jumped across the IDL from Dec 29 to Dec 31, 2011
switching from UTC-11 to UTC+13. American Samoa did not make the change and
remains at UTC-11. Pacific/Fakaofo and Pacific/Apia are in TZInfo and
documentation about the dateline change is in austalasia at IANA.

(cherry picked from commit 1d08ce5f56e45fdee41bb16b2d8d4464bc69bf22)
5fe88b1
@route route Fix #3993 assets:precompile task does not detect index files df84577
@route route Added test for assets:precompile for index files 580e767
@drogus drogus Deprecate remove_column with array as an argument 02ca915
@jeremy jeremy Merge pull request #6095 from route/assets_precompile_task
Fix that asset precompile didn't respect the index.js convention. Fixes #3993.
ebe994f
Francesco Rodriguez Fix #4979 against 3-2-stable - delete_all raise an error if a limit i…
…s provided
4657dba
@pixeltrix pixeltrix Reset the request parameters after a constraints check
A callable object passed as a constraint for a route may access the request
parameters as part of its check. This causes the combined parameters hash
to be cached in the environment hash. If the constraint fails then any subsequent
access of the request parameters will be against that stale hash.

To fix this we delete the cache after every call to `matches?`. This may have a
negative performance impact if the contraint wraps a large number of routes as the
parameters hash is built by merging GET, POST and path parameters.

Fixes #2510.
(cherry picked from commit 56030506563352944fed12a6bb4793bb2462094b)
7c7fb3a
@nragaz nragaz Add a role option to wrap_parameters.
The role option identifies which parameters are accessible and should be wrapped. The default role is :default.
bfb25f9
@kucaahbe kucaahbe improvements in "caching_with_rails" guide - backported from docrails
Conflicts:

	railties/guides/source/caching_with_rails.textile
b4ae94f
@vijaydev vijaydev Merge pull request #6158 from Dagnan/3-2-stable
improvements in "caching_with_rails" guide
5384bdb
@mjtko mjtko added beginning_of_hour support to core_ext calculations for Time and…
… DateTime
145cc69
@josevalim josevalim Merge pull request #4445 from nragaz/role_based_params_wrapping
specify a role for identifying accessible attributes when wrapping params
efb054b
@tenderlove tenderlove Merge pull request #6128 from frodsan/delete_all_limit_32
Fix #4979 against 3-2-stable
80a292c
@drogus drogus Give more detailed instructions in script/rails in engine
closes #4894
915879c
@jeremy jeremy Merge pull request #6170 from mjtko/feature-beginning_of_hour-for-3-2…
…-stable

Backport beginning and end of hour support for Time and DateTime to 3-2-stable
7fb268d
@whistlerbrk whistlerbrk Add failing test re #3436 which demonstrates content_type is not resp…
…ected when using the :head method/shortcut
6f38348
@whistlerbrk whistlerbrk If content_type is explicitly passed to the :head method use the valu…
…e or fallback
4d52738
@josevalim josevalim Merge pull request #6198 from whistlerbrk/3-2-stable
Address ActionPack head method not respecting explicitly set content-type #3436
b86e0be
@arunagw arunagw locking ruby-prof until we got a fix 764e2de
@spastorino spastorino Merge pull request #6200 from arunagw/3-2-stable
locking ruby-prof for now.
b12d03d
Francesco Rodriguez added docs to attribute_accessors methods 96fe0af
@vijaydev vijaydev Merge pull request #6211 from frodsan/docs_attr_accessor_32stable
Adding docs to attribute accessor methods.
ad4d408
Francesco Rodriguez removing docs duplication 16a9a87
@frodsan frodsan closed this May 8, 2012
@josevalim
Ruby on Rails member

Scumbag @wycats, changes Thor semantically from 0.14 -> 0.15, commits to Rails 3-2-stable saying Thor will guarantee semver. :trollface:

What are the chances of bringing this back to 3.1.X? 0%???

Ruby on Rails member

@nikosd unfortunately none. 3-1-stable is not under maintenance anymore. This branch only accepts security fixes

I imagine that :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.